Now you want to test using encryption keys with OpenVPN, and you want the simplest method for testing possible.
Use shared static keys. This is less secure than creating a proper Public Key Infrastructure (PKI), but is easy to set up for testing. Follow these steps:
In this recipe, the OpenVPN server is again Xena at IP address 192.168.3.10, and the client is Stinkpad at 192.168.2.100. First, create the shared static key on the OpenVPN server with this command:
root@xena:~# openvpn --genkey --secret static.keyThen, copy it to the client PC:
root@xena:~# scp static.key 192.168.2.100:/etc/openvpn/keys/Now, create the server configuration file. I call it /etc/openvpn/server1.conf; you can call it anything you like. Use IP addresses that are on a different subnet than your server. Xena is at 192.168.3.10, so let's make Xena's tunnel endpoint address 10.0.0.1:
## openvpn server1.conf dev tun ifconfig 10.0.0.1 10.0.0.2 secret /etc/openvpn/keys/static.key local 192.168.3.10
Then, create the client configuration file on Stinkpad. Stinkpad's tunnel endpoint address is 10.0.0.2:
## openvpn client1.conf remote 192.168.3.10 dev tun ifconfig 10.0.0.2 10.0.0.1 secret /etc/openvpn/keys/static.key
Make sure that OpenVPN is not already running on the client or server, then start it up on both with these commands:
root@xena:~# openvpn /etc/openvpn/server1.conf
root@stinkpad:~# openvpn /etc/openvpn/client1.confJust like in the previous recipe, you'll see Initialization Sequence Completed when the tunnel is completed, and both machines can ping each other:
carla@xena:~$ ping 10.0.0.2
terry@stinkpad:~$ ping 10.0.0.1Hit Ctrl-C on both tunnel endpoints to shut it down.
Watch your messages when you establish the tunnels. When you set up the unencrypted tunnel, the warning:
******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext
was displayed. That should be gone now.
This isn't quite good enough for production machines; see the next recipe to learn a better setup for the real world.
The problem with using static keys is that you lose perfect forward secrecy because your static key never changes. If an attacker found a way to sniff and capture your network traffic, and then captured and cracked your encryption key, the attacker could then decrypt everything, past and future. OpenVPN supports using PKI, which is more complex to set up, but ensures perfect forward secrecy. OpenVPN's PKI uses a complex process that generates four different encryption keys, including separate encrypt/decrypt send and encrypt/decrypt receive keys, which are changed every hour. So, at best, a successful attacker can decrypt one hour's worth of traffic at a time, and then has to start over. See Charlie Hosner's excellent paper, "OpenVPN and the SSL Revolution" (http://www.sans.org/reading_room/whitepapers/vpns/1459.php?portal=c7da694586dcdad815fd41098461e495), for more details on how this works.
man 8 openvpn
OpenVPN How-to: http://openvpn.net/howto.html